[ https://issues.apache.org/jira/browse/PHOENIX-6579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Soldatov resolved PHOENIX-6579. -------------------------------------- Fix Version/s: 5.1.3 Resolution: Fixed > ACL check doesn't honor the namespace mapping for mapped views. > --------------------------------------------------------------- > > Key: PHOENIX-6579 > URL: https://issues.apache.org/jira/browse/PHOENIX-6579 > Project: Phoenix > Issue Type: Bug > Components: core > Affects Versions: 5.1.2 > Reporter: Sergey Soldatov > Assignee: Sergey Soldatov > Priority: Major > Fix For: 5.1.3 > > > When the namespace mapping and ACLs are enabled and the user tries to create > a view on top of the existing HBase table, the query would fail if he doesn't > have permissions for the default namespace. > {noformat} > *Error: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient > permissions (user=admin/ad...@example.com, scope=default:my_ns.my_table, > action=[READ]) > at > org.apache.phoenix.coprocessor.PhoenixAccessController.requireAccess(PhoenixAccessController.java:606) > at > org.apache.phoenix.coprocessor.PhoenixAccessController.preCreateTable(PhoenixAccessController.java:201) > at > org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:171) > at > org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:168) > at > org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$PhoenixObserverOperation.callObserver(PhoenixMetaDataCoprocessorHost.java:86) > at > org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.execOperation(PhoenixMetaDataCoprocessorHost.java:106) > at > org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.preCreateTable(PhoenixMetaDataCoprocessorHost.java:168) > at > org.apache.phoenix.coprocessor.MetaDataEndpointImpl.createTable(MetaDataEndpointImpl.java:1900) > at > org.apache.phoenix.coprocessor.generated.MetaDataProtos$MetaDataService.callMethod(MetaDataProtos.java:17317) > at > org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8313) > at > org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2499) > at > org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2481) > at > org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42286) > at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:418) > at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:133) > at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:338) > at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:318) > (state=08000,code=101) > {noformat} > That happens because in the MetaData endpoint implementation we are still > using _SchemaUtil.getTableNameAsBytes(schemaName, tableName)_ for the mapped > view which knows nothing about namespace mapping, so the ACL check is going > against 'default:schema.table'. It could be fixed easy by replacing the call > with _SchemaUtil.getPhysicalHBaseTableName(schemaName, tableName, > isNamespaceMapped).getBytes();_ -- This message was sent by Atlassian Jira (v8.20.1#820001)